There's a lot more to the Heartbleed bug than meets the eye

There is a lot more to the internet bug Heartbleed than meets the eye, and a lot of people still don't realise the overall impact
it can have on internet users all over the globe.

And the reason is that it doesn't just affect websites-- there's a lot more to it. The so-called Heartbleed bug was also discovered in
the electronic gadgets we use everyday to connect to the Web.

Networking giants Cisco and Juniper have identified about twenty-five networking devices affected by the bug, including servers,
routers, switches, phones and video cameras used by small and large businesses everywhere.

The two companies are also reviewing dozens more devices to determine whether they're impacted by the bug as well. This means that for the
past two years someone could have been able to tap your phone calls and voicemails at work, all your emails and entire work sessions at your
computer, iPhone or Blackberry.

Worse, you also could have been compromised if you logged into work from home remotely. The really disturbing fact is that you'll probably
never know if you were hacked or not!

"This is why this is being called the biggest exploit since 2002. It's so big and so encompassing," said Sam Bowling, a senior infrastructure
engineer.

So you may ask-- what does exposure actually mean? What could be hacked? Here is a rundown, provided by researchers at security provider
SilverSky and Singlehop.

Work phone -- At least four types of Cisco IP phones were affected. If the phones are not behind a protective network firewall, someone could use Heartbleed
to tap into your phone's memory banks. That would yield audio snippets of your conversation, your voicemail password and call log.

Company video conference -- Some specific versions of Cisco's WebEx service are vulnerable. Hackers could grab images on the shared
screen, audio and video as well.

Smartphone -- To let employees access work files from their iPhones and Android devices, some companies opt for Cisco's AnyConnect Secure
Mobility Client app for iOS, which was impacted by Heartbleed. An outsider could have seen whatever you accessed with that mobile app.

VPN -- Some versions of Juniper's virtual private network service are also compromised. If anyone tapped in, they could grab whatever is
on your computer's memory at the time. That includes entire sessions on email messaging, banking transactions, social media, etc. etc.

Networking switches -- One type of Cisco software that runs Internet switches is at risk. They're notoriously difficult to access, but
they could let an outsider intercept traffic coming over the network, nevertheless.

Cisco, Juniper and Apple didn't respond to questions, but on its site, Juniper did tell its customers-- "We are working around the clock
to provide fixed and stable releases of code for our affected products."

However, removing the bug on those devices won't be easy and isn't as simple as it sounds. Cisco and Juniper both say that the onus is on
each system admin or company using those devices. And that's where the problem lies.

"And one of the biggest problem to Hearbleed is that many small and medium-size businesses aren't very likely to ever upgrade, and
they're going to have a tremendous amount of exposure for a very long time," said John Viega, an internet security expert and an
executive at security provider SilverSky.

That is why just changing passwords isn't necessarily enough to overcome the potential damage caused by the Heartbleed bug in and by itself.
Even if a website isn't that vulnerable when communicating with its customers, the company's servers might still be exposed.

The issue doesn't seem to be widespread on the consumer side, however. Both Linksys and D-Link make many of the routers we use to
connect to the internet from home, and they say none of their devices are affected. But Netgear has not posted updates or returned to us
for comment.

In other internet security news

In the last few years, several web portals and testing tools have popped up to check whether servers and other equipment
are vulnerable to OpenSSL's 'Heartbleed' bug, and that's fine. The only problem is that those tools have unearthed several anomalies
in computer crime law on both sides of the Atlantic.

Both the U.S. Computer Fraud and Abuse Act and its British equivalent, the Computer Misuse Act, both make it illegal to test
the security of third-party websites without prior permission.

Specifically, testing to see what version of OpenSSL a website is running, and whether it also supports the vulnerable Heartbeat protocol,
would be legal. But doing anything more active – without permission from website owners – would take security researchers on the
wrong side of the law, making it a federal crime.

Chris Wysopal, co-founder of Veracode and former member of the celebrated Boston-based hacking crew Lopht, was among the first security
researchers to raise the issue-- "I would say it would certainly contravene the Computer Misuse Act in Britain," said computer security
researcher David Litchfield, a celebrated expert in database security issues.

"This is no different than testing to see if a site is vulnerable to SQL injection. It's not legal without permission," he added.

Unauthorised security probing is illegal under section 3 of Britain's Computer Misuse Act of 1990, whatever the intent, as case law
has established.

Information technology lawyer Dai Davis, a solicitor at Percy Crow Davis & Co says
that actively scanning for the Heartbleed vulnerability would violate the U.K. computer crime laws, even though this "violation" is unlikely
to be enforced. But it can be, nevertheless.

"Under current British law, you could argue that running scans is just about criminal," Davis added. "It's not in the spirit of the
law but the Computer Misuse Act is badly written, but that's how it stands today, like it or not."

Some security researchers argued that there ought to be an exemption to these laws if the activity is "helpful", while others say that
this aspect of computer crime law is not being enforced or is, in any case, being ignored.

"It’s not legal, but vast numbers of otherwise ethical security professionals are testing every site on the internet. And that's being done every single day,"
tweeted Martin McKeay, a security researcher at Akamai.

Heartbleed is a catastrophic flaw in widely used OpenSSL that creates a means for attackers to lift passwords, crypto-keys and other
sensitive data from the memory of secure server software, 64 KB at a time.

This huge internet security vulnerability was patched earlier this week, and software should be updated to use the new version, 1.0.1g.
But to fully clean up the security issue, system admins of at-risk servers should generate new public-private key pairs, destroy their
session cookies, and update their SSL certificates before telling users to change every potentially compromised password on the vulnerable
systems.

In other internet security news

A new security flaw has exposed millions of internet passwords, credit card numbers and other sensitive data to potential theft
by computer hackers who may have been secretly exploiting the issue before its discovery this morning.

The security breach affects the encryption technology that is supposed to protect online accounts for emails, instant messaging and a
wide range of electronic commerce services.

Internet security researchers who uncovered the threat, known as "Heartbleed," are particularly concerned about the issue because
it went undetected for more than two years, giving hackers plenty of time to do some very nasty things.

Although there is now a method to close that security flaw, there are still plenty of reasons to be concerned, said David Chartier,
CEO of Codenomicon, a security company based in Finland.

A team at Codenomicon diagnosed Heartbleed while working independently with a Google researcher who also discovered the threat.

"I don't think anyone that had been using this technology is in a position to definitively say they weren't compromised," Chartier said.

Chartier, and other computer security experts, are advising people to consider changing all their online passwords. "I would change every
password everywhere because it's possible that something was sniffed out," said Wolfgang Kandek, chief technology officer for Qualys, a maker
of security-analysis software.

"You simply don't know since an attack wouldn't have left a distinct footprint anywhere," he added. But changing the passwords won't do
any good, these experts said, until the affected services install the software released Monday to repair the issue.

That places the onus on the Internet services affected by Heartbleed to alert their users to the potential risks and let them know when the
Heartbleed repair patch has been installed so they can change their passwords.

"This is going to be difficult for the average person to understand, because it's difficult to know who has done what and what is safe or not,"
Chartier added.

Yahoo, which boasts more than 800 million users globally, is among the Internet services firm that could be potentially hurt by Heartbleed. The
company said most of its popular services including sports, finance and Tumblr had been fixed, but work was still being done on other services that
it didn't identify in a statement late yesterday.

"We're focused on providing the most secure experience possible for all our users and are continuously working to protect our customers' data,"
Yahoo said.

To be sure, Heartbleed creates an opening in SSL/TLS, an encryption technology marked by the small, closed padlock and "https:" on Web browsers
to signify that internet traffic is secure. The security hole makes it possible to snoop on Internet traffic even if the padlock had been
closed.

Potential attackers could also take the keys for deciphering encrypted data without the website owners knowing the theft had occurred,
according to security researchers.

The security vulnerability affects only the variant of SSL/TLS known as OpenSSL, but that happens to be one of the most common on the
Internet used today.

About 68.4 percent of all Web servers rely on OpenSSL, Chartier said. That means the data passing through hundreds of thousands of websites
could be compromised, despite the protection offered by SSL encryption technology.

Beside emails and chats, OpenSSL is also used to secure virtual private networks, which are used by employees to connect with corporate
networks seeking to shield confidential information from prying eyes.

Heartbleed exposed a weakness in encryption at the same time that major Internet services such as Yahoo, Google, Microsoft and Facebook are
expanding their usage of technology to reassure the users about the security of their personal data.

The additional measures are being adopted in response to mounting concerns about the U.S. government's surveillance of online activities
and other communications.

The snooping has been revealed during the past ten months through a series of leaked documents from former NSA contractor Edward Snowden.

Despite several worries raised by Heartbleed, Codenomicon said that many large consumer sites aren't likely to be affected because of
their conservative choice of equipment and software.

"Ironically, smaller and more progressive services or those who have upgraded to the latest and best encryption will be affected most," the
security company added.

Although it may take several months for smaller websites to install the Heartbleed fix, Chartier predicted all the major Internet service
providers will act quickly to protect their reputations.

In a Tuesday post announcing it had installed the Heartbleed fix, Tumblr offered its users some blunt advice. "This still means
that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all
that private information accessible to anyone who knew about the exploit," Tumblr said.

"This might be a good day to change your passwords everywhere, especially your high-security services like email, file storage, and banking,
which may have been compromised by this security vulnerability," he added.

In other internet security news

The numbers were compiled Thursday and confirm what many system admins already had suspected.

DDoS (distributed denial of service) attacks have more than tripled since the start of 2014, according to a new study released on
Thursday that underscore zombie networks as the primary source of junk traffic that can be used to flood websites and other internet
properties.

Overall, about 29 percent of all botnets are located in either India, China and Iran, while some are located in the U.S.

The study, by DDoS mitigation firm Incapsula, ranks the United States as number five in the list of “Top 10” attacking countries.

Several zombie networks have been deployed in multiple attacks. More than a quarter of botnet attacks happen more than 50 targets a month,
according to Incapsula. And the trend appears to be increasing.

Traffic volumes are growing and 20 Gbps attacks are rapidly becoming normal. About 32.4 percent of all DDoSs is above 20 Gbps and
81.7 percent of assaults feature multiple strands of attack.

A normal SYN flood and large SYN flood combo is the most popular multi-vector attack-- a one-two punch technique that crops up in
75 percent of all attacks. NTP reflection was the most common large-scale attack method in January and February 2014.

The Incapsula study is based on hundreds of attacks on websites and other internet properties that use the company’s DDoS Mitigation
service.

In other internet security news

Oracle is warning its Australian customers in the enterprise segment to get ready for extra security patches in the next coming months.

Recent changes at Australia's federal laws mean that Oracle has warned its customers that one security patch will be needed to
handle a new gender equity reporting requirement, while changes to superannuation (tr. retirement pension) will mean another two.

Then there's a fourth patch that can be expected to handle general other changes expected in the Federal budget, which is delivered
in the first week of May and comes into effect as of July 1st.

Australia's financial management software vendors are briefed in advanced of the Budget, so that vendors generally know what they
need to start working on.

Their software is also tuned to cope with the need for rapid adjustment. We understand that financial management packages have modular
designs to make it easy for vendors' outposts in different nations to encode local regulations into their wares.

We're aware that at least one top tier ERP vendor outsources the creation of these hyper-local patches, in part because the local
office is more concerned with – and competent at - sales and marketing than actual coding.

Even if outposts of multinational vendors have to scramble to get the job done, the work is probably welcome if Oracle's missive
is anything to go on-- only users of version 12.0 or higher of Oracle Payroll can put the patches to work.

Government therefore keeps users on the upgrade treadmill, along the way creating just the kind of red tape Australia's rulers will
this week decry with a “repeal day” dedicated to “cutting administrative overhead.”

In other internet security news

Farid Essebar, aka Diablo, has finally been arrested by Bangkok police after more than 3 years on the run, on suspicion of causing
no less than $4 billion worth of damage to Swiss banking systems and various other institutions in Europe.

The 27-year-old Moroccan, who has a Russian passport, was caught by police from the the Department of Special Investigation (DSI), as
well as officials from the Immigration Bureau, and the Office of the Attorney-General.

"We arrested the suspect at a condominium on Rama Road. Thailand will then send him to Switzerland within 90 days in accordance
with the extradition agreement," police chief Songsak Raksaksakul said.

Swiss authorities are said to have alerted the Thai police through their embassy in Bangkok that the hacker and three associates
had come to the south-east Asian country.

Why did it took so long to track him down is still a mystery, although the report claims that law enforcers wanted to make sure they got
a positive identification of the criminal before swooping in for an arrest.